Introduction

Malware has moved to the forefront of the information security landscape. Malicious files are involved in nearly every major data breach and is causing growing problems for corporate and home users. While host-based anti-malware products are a must, they are not getting the job done alone. The flood of ever changing malware continues to flow over the walls of protection and into our systems. Once the malicious files have embedded themselves, the challenge falls on the incident responders and forensics experts to identify, contain, and eradicate these threats. This article is the first of a series focused on arming those responders with additional tools to accomplish the job.

The target of this article will be malware that infects the Microsoft Windows platform and more specifically Portable Executable (PE) based malware. PE files typically exist on Microsoft Windows systems as .exe, .dll, .scr, and .sys files, most of which are housed in a limited number of well-defined directories. This article will explore ways to discover malware by identifying PE files that exist outside these typical, designated locations.

Typical Locations

Establishing a baseline for where executable files should reside is important in understanding which files are suspicious. Executables are typically divided into two major categories: system files and application files. Most system files are located in subdirectories under the C:\Windows directory with a few additional system files residing in directories such as C:\Boot and C:\DRV. Application files predominately reside in application specific subdirectories under C:\Program Files and C:\Program Files (x86). Additionally, Windows temp directories will temporarily store files used during application installation or upgrades. These directories are often gray areas since both legitimate and malicious programs make use of temporary file locations.

Standard executable locations:
# System Files C:\Windows//* C:\Boot C:\DRV # Application Files C:\Program Files/<directory>/* C:\Program Files (x86)/<directory>/* # Temporary Files (%TMP%, %TEMP%) C:\Documents and Settings\{username}\Local Settings\Temp (XP) C:\Users\{Username}\AppData\Local\Temp
Suspicious Locations

Any executable file located outside a known-good location can raise suspicion, which leaves a very large surface area considering the number of directories on a typical Windows install. However, identifying the locations often favored for malware installation will help narrow the field of exploration. Malicious executables install themselves to writable areas on a victim's file system, the most common of which is the user’s home directory. Within a user's homepath, the Application Data, Local, Roaming and Temp directories typically see most of the action while less common locations can include the temporary Internet cache directories, file download locations, shared user locations, and the root level of system drives or program file directories.

Suspicious executable locations:
# User Profile %HOMEDIR%\Desktop %HOMEDIR%\Local Settings (XP) %HOMEDIR%\Local Settings\Application Data (XP) %HOMEDIR%\Local Settings\Temp (XP) %HOMEDIR%\Application Data (XP) %HOMEDIR%\AppData %HOMEDIR%\AppData\Local %HOMEDIR%\AppData\Local\Temp %HOMEDIR%\AppData\Roaming # Internet Cache %HOMEDIR%\Local Settings\Temporary Internet Files (XP) %HOMEDIR%\Local Settings\Application Data\Mozilla\Firefox\Profiles (XP) %HOMEDIR%Local Settings\Application Data\Google\Chrome (XP) %HOMEDIR%\AppData\Local\Microsoft\Windows\Temporary Internet Files %HOMEDIR%\AppData\Local\Mozilla\Firefox\Profiles %HOMEDIR%\AppData\Local\Google\Chrome %HOMEDIR%\Downloads # Shared User Locations C:\Documents and Settings\All Users\Application Data (XP) C:\ProgramData (W7) # System Locations C:\ C:\Program Files C:\Program Files (x86) ----- %HOMEDIR%: (XP) C:\Documents and Settings\{username} %HOMEDIR%: (W7) C:\Users\{username}
Identifying Suspicious Executables

The suspicious executable locations listed above can be applied during the live analysis of compromised systems or the post-containment forensics examination. Live analysis involves simply browsing or searching for executables in the suspicious locations noted above. The normal warnings of live exploration applies (potential damage to forensics images, rootkit hidden files, etc.) but circumstances dictate that live exploration is often necessary to triage a situation.

This article will focus on applying malicious file location information to the forensic timeline created by open source tools like Sleuthkit and log2timeline. However, these techniques are easily translatable to other tools.

Fri Mar 07 2014 16:15:41,713216,.a..,r/rrwxrwxrwx,0,0,1985-128-3,"C:/WINDOWS/system32/a.dll" Fri Mar 07 2014 16:15:41,4608,.a..,r/rrwxrwxrwx,0,0,2107-128-3,"C:/WINDOWS/system32/b.dll" Fri Mar 07 2014 16:15:41,229376,.a..,r/rrwxrwxrwx,0,0,2323-128-3,"C:/WINDOWS/system32/c.dll" Fri Mar 07 2014 16:15:41,1384479,.a..,r/rrwxrwxrwx,0,0,2775-128-3,"C:/WINDOWS/system32/d.dll"
Since the timeline is a textual representation of the file system, any text search or browsing mechanism can be used. This article employs UN*X command line tools.

Identifying Suspicious Executables in Timeline Files: # List all executable files within the users profile (%HOMDIR%) $ grep "C:/Documents and Settings/<profile name>" timeline.csv|egrep "\.exe|\.dll|\.scr" (XP) $ grep "C:/Users/<profile name>" timeline.csv |egrep "\.exe|\.dll|\.scr" # Reduce the output to only executes that were born within the period of compromise $ grep "C:/Users/<profile name>" timeline.csv |egrep "\.exe|\.dll|\.scr"|grep "b,"|grep "Mar .. 2014" # List all executable files within the user’s internet cache & downloads $ grep "<profile name>" timeline.csv |grep "Windows/Temporary Internet Files" |egrep "\.exe|\.dll|\.scr" $ grep "<profile name>" timeline.csv |grep "Mozilla/Firefox/Profiles" |egrep "\.exe|\.dll|\.scr" $ grep "<profile name>" timeline.csv |grep "Local/Google/Chrome" |egrep "\.exe|\.dll|\.scr" $ grep "<profile name>" timeline.csv |grep "/Downloads" |egrep "\.exe|\.dll|\.scr" # Locate executables in the root of Program Files and C:\ $ egrep "C:/Program Files/[^\/]+\"" timeline.csv |egrep "\.exe|\.dll|\.scr" $ egrep "C:/Program Files \(x86\)/[^\/]+\"" timeline.csv |egrep "\.exe|\.dll|\.scr" $ egrep "C:/[^\/]+\"" timeline.csv |egrep "\.exe|\.dll|\.scr"

Besides suspicious file locations, a few other timeline entries often prove useful in identifying malicious executables. First: Anti-Virus quarantine directories. File types beyond executables may be listed here, but AV quarantine is a good place to begin an exploration of the timeline. Malware installation often involves a multi-file infection process so if anti-virus catches just a single component, this can be a great way to narrow the timeline down to the area most relevant to the infection. Each AV vendor implements the quarantine folder slightly different. On systems protected by McAfee, a directory named Quarantine is place in the root of C:\ with each quarantined file generating a new file in that directory.

# Locate quarantined files in the timeline egrep "C:/Quarantine" timeline.csv

The final two timeline entry types to explore are Windows Prefetch and Zone Identifiers. The Prefetch facility in Windows speeds subsequent executions of a program, in part by creating a file in C:\Windows\Prefetch to keep track of the specific details of that program's executable. Windows constructs a Prefetch file name by appending a hexadecimal number and .pf extension to the name of the executable. For example, a prefetch entry for Windows command cmd.exe would resemble "C:/Windows/Prefetch/CMD.EXE-AC113AA8" . Zone Identifier is a Windows facility that warns users about executing applications downloaded from the Internet. Windows tracks downloaded files by placing a companion file along side the original download. These companion files share a similar filename as the original plus an appended " :Zone.Identifier". For example, browserhelper.exe would resemble "browserhelper.exe:Zone.Identifier". Identifying programs that have executed on the system, especially those downloaded from the Internet, are additional ways to zero in on malicious files within a forensic timeline. Prefetch can be especially useful in cases where malware has removed itself after execution; the file itself may not be present, but the prefetch evidence of execution will remain.

# List programs executed on the system grep "C:/Windows/Prefetch" timeline.csv # List executables downloaded from the internet grep ":Zone.Identifier" timeline.csv
While there are many other tips and tricks to exploring a timeline, the ones listed in this article will produce the most consistent results in finding malicious executables.

References
Microsoft Portable Executable and Common Object File Format Specification
http://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281-92cdfeae4b45/pecoff.doc

Understanding Microsoft Internet Explorer Cache
http://www.digital-detective.net/understanding-microsoft-internet-explorer-cache/

Internet Explorer
http://forensicswiki.org/wiki/Internet_Explorer

Mozilla Firefox
http://forensicswiki.org/wiki/Mozilla_Firefox

Google Chrome
http://www.forensicswiki.org/wiki/Google_Chrome

Windows Systems and Artifacts in Digital Forensics: Part III: Prefetch Files
http://resources.infosecinstitute.com/windows-systems-artifacts-digital-forensics-part-iii-prefetch-files/

URL Security Zones
http://msdn.microsoft.com/en-us/library/ie/ms537021(v=vs.85).aspx